Great site Tom. Definitely the place to go for ISA education.
I found a problem with the HTTP filter related to Activesync in particular. I only found one other user on the internet who also asked this question but for ISA 2004 so the problem may have been around for a while.
I have one listener and web publishing rule setup for RPC over HTTP/Activesync. I wanted to turn on the HTTP filter for these two services. I did so according to Microsoft's suggestions:
There is a chart there with the HTTP filtering settings for Exchange services, including Activesync and RPC over HTTP. According to these suggestions, you can deny all extensions except .dll for RPC over HTTP and .(dot) for Activesync.
The suggestion for RPC over HTTP does work. You can limit to just the .dll extension and everything is fine. However, allowing only the additional .(dot) does not result in Activesync working. You will get a "Denied Connection" in the log for all Activesync attempts. Removing the extension restrictions causes Activesync to function normally.
Therefore, for now, instead of limiting to just .dll and .(dot), I am blocking most other extensions. However, I would definitely like to know the exact correct extensions that Activesync uses so I can explicitly limit to just .dll and whatever Activesync needs.
If anyone has experimented and got this right, please let me know. It would also be great to get an update from Microsoft as well.
In the HTTP filter, one of the tabs is Extensions. You can either Allow all Extensions, Allow only the Following Extensions, or Deny the Following Extensions. Microsoft recommends that for RPC over HTTP, you select Allow only the Following Extensions and enter only .dll. That is the only extension needed for RPC over HTTP. That works perfectly.
In the same document (http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx), for Activesync, Microsoft recommends again selecting Allow only the Following Extensions, but entering only .(dot) This does not work and all Activesync connections are then denied. Therefore, either Activesync is using additional extensions or the filter is incorrectly identifying the traffic extensions and consequently denying it.
The only issue with these settings is that they block Windows Mobile 5.0 clients unless you disable to "block executables" part of the HTTP filter for your ActiveSync rule. Windows Mobile 2003 seems unaffected by by this settings, but v5.0 does.